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(54) System and method for providing anonymous personalized browsing in a networic 



(57) For use with a network having sender sites ca- 
pable of being browsed by users based on identifiers 
received into the server sites and personal to the users, 
alternative proxy systems for providing substitute Iden- 
tifiers to the server sites that allow the users to browse 
the sen/er sites anonymously via the proxy system. A 
central proxy system Includes computer-executable 
routines that process site-specific substitute identifiers 
constructed from data specific to the users, that trans- 
mits the substitute Identifiers to the server sites, that re- 



transmits browsing commands received from the users 
to the server sites, and that removes portions of the 
browsing commands that would identify the users to the 
server sites. The foregoing functionality is performed 
consistently by the central proxy system during subse- 
quent visits to a given server site as the same site spe- 
cific substitute identifiers are reused. Consistent use of 
the site specific substitute identifiers enables the server 
site to recognize a returning user and, possibly, provide 
personalized service. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

The present Invention is directed, in general, to net- 
works and, more specifically, to a system and method 
that allows a user to browse personalized sender re- 
sources on a network anonynrwusly. 

BACKGROUND OF THE INVENTION 

The Internet is a well-known collection of networks 
(e,g., public and private data communication and multi- 
media networks) that work together (cooperate) using 
common protocols to fonm a world wide network of net- 
works. 

In recent years, the availability of more efficient, re- 
liable and cost-effective computers and networking 
tools have allowed many companies and individuals 
(collectively, "users") to become involved in an ever 
growing electronic marketplace. The Immeasurable 
gains in technology experienced by the computer Indus- 
try overall have allowed these users to rely on commer- 
cially available computers, such as personal computers 
("PCS"), to meet their information processing and com- 
munication needs. To that end. PC manufacturers equip 
most PCS with an Interface that may be used for com- 
munksatlon over networks, such as the Internet. 

The Internet continues to increase Its position as an 
integral place for businesses that offers information and 
sen/ices to potential customers. Popular examples of 
such businesses are news providers (e.g., www.cnn. 
com (the Cable News Network), www.nytimes.com (the 
New York Times), www.wsj.com (the Wall Street Jour- 
nal), www.ft.com (Financial Times Magazine), www. 
buslnessweek.com (Business Week Magazine)); car 
manufacturers {e.g., www.ford.com/us (the Ford Motor 
Company), www.gm.com (the General Motor Compa- 
ny), www.toyota.com (the Toyota Motor Company)); 
book stores {e.g., www.amazon.com (Amazon.com 
books)); software providers (ag.. www.microsoft.com 
(the Mk:rosoft software company)) and many nrx>re. 

Most often, such a business sets up a home page 
on the World Wide Web (a "web-site," the World wide 
Web is a logbal overlay of the Internet). The web-site 
constitutes an electronically-addressable location that 
may be used for promoting, advertising and conducting 
business. Potential electronic customers use web- 
browsers {e.g., NETSCAPE NAVIGATOR®. MICRO- 
SOFT EXPLORER®, etc.) to access the information of- 
fered on those web-sites. 

An increasing number of web sites offer personal- 
ized services that may Include 'personalized web pag- 
es" customized to a user's interests, with hyper-links (a 
reference or link from some point in one hypertext doc- 
ument to some point in another document or another 
place in the same document ~ often displayed in some 
distinguishing way {e,g, In a different color, font or 
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style)) and displayed messages tailored according to 
the user's preferences. Such preferences can be ascer- 
tained by having a user establish an account with that 
web-site. This allows the web-site to store information 

s about the user's previous visits, either by tracking the 
hyper-links the user followed or through explicit dialogs 
with the user. For example, the Wall Street Journal pro- 
vides a "personalized journal" to each user, where the 
sequence and selection of sections is customized. In or- 

10 der to open an account, the user typically has to com- 
plete a form electronically, providing a user name, a 
password, an electronic-mail ("e-mail") address, etc. 
The latter is often used by the web-site to send back 
informatfon not provided on the web-slte Itself to the us- 

is er. 

Given the inherent lack of privacy of electronic com- 
munlcatfon over the Internet generally, and, particularly, 
the World Wide Web, it has long been felt that a system 
that could ensure private electronic communication 

20 would be highly advantageous. As an example of the 
problem, consider the plight of a customer that would 
like to browse the World Wide Web in a safe and private 
(anonymous) manner, visiting sites that provide person- 
alized sen/ice. The customer would like to establish ac- 

2S counts on web-sites without revealing his true identity, 
and without reusing the same user names, passwords, 
for multiple sites. Customers should refrain from reusing 
the same user names and passwords at multiple sites 
to avoid a security breach at one site to affect other sites; 

30 additionally, refraining from using such user names and 
passwords limits the ability of multiple sites from collud- 
ing to combine customer information and build dossiers 
on particular customers. 

Typically, the customer visits many of these web- 

35 sites, and Inventing and remembering new user names 
and passwords for each web-site becomes tedious. 
Moreover, many of these web-sites require the custom- 
er to include his e-mali address with his user name and 
password -- by providing his e-nriall address, the cus- 

40 tomer reveals his identity. 

In addition, there are commercial products available 
that alk3w web-skes to track their clients and visitors. 
Such tracking can be made even when no voluntary in- 
formation is provided by the user and no form is filled 

45 out. Examples of such systems are "Webreporter," 
which is available from OPENMARKET. INC., and 
■SiteTrack," which Is available from GROUP CORTEX, 
whose advertisement reads as follows: 

"Identify who Is visiting your site. Record the actual 

so number of people that visit. Find which links they follow 
and trace their complete path. Learn which site users 
came from and which site they depart to..." 
These products are made possible because the hyper- 
text transport protocol ("HTTP-protocol"), on which the 

55 World Wide Web is largely based, allows specific infor- 
matfon to flow back from the user to the web-site. This 
can Include for example, the user's e-mail address, the 
last web-slte he came from, and infornration about the 
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user's software and host-computer. Other pertinent user 
Infomiation may be sent by the web-site to the user 
browser using what are commonly referred to as 'cook- 
ies" (pieces of information that web-sites may store at 
the user's browser). On subsequent visits to the web- s 
site, the user's browser sends back information to the 
web-site without the user's knowledge. 

From the foregoing, it is apparent that what is need- 
ed In the art Is a scheme that provides anonymous per- 
sonalized web browsing that satisfies two seemingly io 
conflicting objectives, namely, providing user privacy 
and user identification. 

SUMMARY OF THE INVENTION 

75 

To address the above-discussed deficiencies of the 
prior art, the present invention introduces a proxy sys- 
tem that performs two basic functions: (1) automatic 
substitution of user-specific identifiers such that sen/er 
sites {e.g., web sites, junction points, intelligent portal 20 
devices, routers, network servers, etc.) within a network 
are prevented from determining the true identity of the 
user browsing (accessing, locating, retrieving, reading, 
contacting, etc.) the sites; and (2) automatic stripping of 
any other information associated with browsing com- 25 
mands that would allow the server sites to determine the 
true kjentity of the user browsing the server sites. An 
important aspect of the present inventfon is that the fore- 
going functions are performed consistently by the proxy 
system during subsequent visits to the server site (the 30 
same substitute identifiers are used on repeat visits to 
the sen/er site; the sen/er site also cannot distinguish 
between Information supplied by the user and the proxy 
system, thus the proxy system is transparent to the serv- 
er site). The present invention therefore not only Intro- 35 
duces anonymous browsing, but also personalization 
based upon the consistent use of substitute identifiers. 

It should be noted that the term true," as used here- 
in, means accurate, actual, authentic, at least partially 
correct, genuine, real or the like, the term "or." as used 40 
herein, is inclusive, meaning and/or; and the phrase "as- 
sociated with" and derivatives thereof, as used herein, 
may mean to Include within, Interconnect with, contain, 
be contained within, connect to or with, couple to or with, 
be communicable with, juxtapose, cooperate with, inter- 4S 
leave, be a property of, be bound to or with, have, have 
a property of, or the like. 

As is described in greater detail hereinbebw. the 
principles of the present Invention address the conflict- 
ing objectives of user privacy and user Identification de- so 
scribed hereinabove by providing a proxy system, a pe- 
ripheral proxy system, and a method of providing sub- 
stitute kJentifiers to a server site that allow users to 
browse the same anonymously via the proxy system. 

In one embodiment, the present invention provides, ss 
for use with a network having server sites capable of 
being browsed by users based on identifiers received 
into the server sites and personal to the users, a central 



proxy system for providing substitute identifiers to the 
server sites that allow the users to browse the server 
sites anonymously via the central proxy system. Accord- 
ing to various embodiments of the present invention , the 
substitute identifiers may be suitably constructed by the 
user site or a routine associated with the central site (ad- 
vantageous ways (functions) of constructing the substi- 
tute Identifiers are described hereinafter). The exempla- 
ry central proxy system includes: (1) a computer-exe- 
cutable first routine that processes (receives, accepts, 
obtains, constructs, produces, etc.) site-specific substi- 
tute identifiers constructed from data specific to the us- 
ers. (2) a computer-executable second routine that 
transmits the substitute identifiers to the sender sites and 
thereafter retransmits browsing commands received 
from the users to the server sites and (3) a computer- 
executable third routine that remowes (and possibly sub- 
stitutes) portions of the browsing commands that would 
Identify the users to the sen/er sites. "Include" and de- 
rivatives thereof, as used herein, means inclusion with- 
out limitation. 

In one embodiment, the first of the two above-enu- 
merated basic functions is performed external to the 
central proxy system, while In another It Is performed, 
at least in part, within the central proxy system. The cen- 
tral proxy system processes and fonwards the substitute 
identifiers as appropriate and directly performs the sec- 
ond of the above-enumerated basic functions by strip- 
ping other information that would tend to identify the us- 
ers. An Internet Access Provider ("ISP"), such as NET- 
COM®, or a networking servfce, such as AMERICA ON- 
LINE® or COMPUSERVE® can advantageously em- 
ploy the central proxy system to provide anonymous re- 
transmission of browsing commands by their users. 

It is Important to understand that subsequent use of 
the proxy system by a "same" user to a "same" server 
site will cause the proxy system to construct (directly or 
indirectly) and use the same (site-specific) substitute 
identifiers. Typically, the proxy system functions as a 
conduit communicating messages between the user 
and the sen/er. Depending upon the embodiment, the 
proxy system may remove or substitute some portion of 
messages communicated by the user to the server to 
ensure anonymity. 

An alternative advantageous embodiment of the 
present invention may be provided In the fomri of a pe- 
ripheral proxy system designed for use with a networic 
having a sen/er site capable of being browsed by users 
based on identifiers received Into the sen/er site and 
personal to the users. The peripheral proxy system in- 
cludes: (1 ) a computer-executable first routine that con- 
structs a particular substitute Identifier from data re- 
ceived from a particular user and (2) a computer-exe- 
cutable second routine that transmits the partbular sub- 
stitute Identifier to the central proxy system, the central 
proxy system retransmitting the particular substitute 
kJentifier to the server site and thereafter retransmitting 
browsing commands received from the particular user 
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to the server site. According to this embodiment, the first 
routine may be associated, at least in part, with the user 
site, which distributes the basic functions of the present 
invention over multiple computer systems. 

The foregoing has outlined, rather broadly, pre- 
ferred and alternative features of the present invention 
so that those skilled in the art may better understand the 
detailed description of the invention that follows. Addi- 
tional features of the invention will be described herein- 
after that form the subject of the claims of the invention. 
Those sicilled in the art should appreciate that they can 
readily use the disclosed conception and specific em- 
bodiment as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present inventbn. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
invention, reference is now made to the following de- 
scriptions taken in conjunction with the accompanying 
drawings, wherein like numbers designate like objects, 
and in which: 

FIGURE 1 Illustrates a high-level block diagram of 
an exemplary distributed network with which the 
principles of the present invention may be suitably 
used to provide either a central or a peripheral proxy 
system for allowing users to provide substitute iden- 
tifiers to server sites of a network to browse anon- 
ymously; 

FIGURE 2 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a central proxy system that includes 
each of a user site, a central proxy system and a 
plurality of illustrative server sites according to the 
principles of the present invention; 
FIGURE 3 illustrates an exemplary full screen win- 
dow of a proxy system according to the principles 
of the present invention; 

FIGURE 4 illustrates an exemplary full screen win- 
dow of an interface of a particular server site ac- 
cording to the principles of the present invention; 
FIGURE 5 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a peripheral proxy system that in- 
cludes each of a user site, a central proxy system 
and a plurality of Illustrative sender site according to 
the principles of the present invention; and 
FIGURE 6 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 including each of a user site, a central proxy 
system and a plurality of illustrative server sites ac- 
cording to an exemplary marker proxy embodiment 
of the present invention. 



DETAILED DESCRIPTION 

Refen^ing initially to FIGURE 1 , Illustrated is a high- 
level block diagram of an exemplary distributed network 
5 (generally designated 100) with which the principles of 
the present inventbn may be suitably used to provide 
either a central or a peripheral proxy system. Distributed 
network 100 illustratively includes a plurality of compu- 
ter sites 105 to 110 that are illustratively associated by 

10 Internet 115. Internet 115 includes the World Wide Web, 
which is not a network itself, but rather an "abstraction" 
maintained on top of Intemet 115 by a combination of 
browsers, server sites. HTML pages and the like. 
According to the illustrated embodiment, either 

'5 proxy system provides substitute identifiers to one or 
more of a plurality of sender sites 110 of network 100. 
The substitute kJentifiers allow user sites (and, hence, 
users (not shown)) to browse the server sites anony- 
mously via the proxy system. Consistent use of the 

20 same (site-specific) substitute Identifiers at a particular 
server site personalizes browsing. For purposes of illus- 
tration, site 105a is assumed throughout this document 
to be a user site, site 110a is assumed to be a central 
proxy site, and site llOg Is assumed to be a sender site. 

25 Those of skill in the pertinent art will understand that 
FIGURE 1 is illustrative only, in other configurations, any 
of sites 105 to 110 may be a user, a central proxy or a 
server site, or a combination of at least two of the same. 
"Sender site." as the temri is used herein, is construed 

30 broadly, and may include any site capable of being 
browsed. 

Although the illustrated embodiment is suitably im- 
plemented for and used over Internet 1 1 5, the principles 
and broad scope of the present invention may be asso- 

55 elated with any appropriately arranged computer, com- 
munications, multimedia or other network, whether 
wired or wireless, that has sender sites capable of being 
browsed by users based on identifiers received into the 
server sites and that are personal to the users. Further, 

40 though the principles of the present invention are illus- 
trated using a single user site 105a. a single central 
proxy site 110a and a single server site 11 Og, alternate 
embodiments within the scope of the same may include 
a plurality of user, central proxy or server sites. 

4S Exemplary network 1 00 Is assumed to include a plu- 
rality of insecure communication channels that operate 
to intercouple ones of the various sites 105 to 110 of 
network 100. The concept of communicatbn channels 
Is known and allows insecure communication of infor- 

50 mation among ones of the intercoupled sites (the Inter- 
net employs conventional communication protocols that 
are also known). A distributed network operating system 
executes on at least some of sites 105, 110 and may 
manage the insecure communication of information 

55 therebetween. Distributed network operating systems 
are also known. 

According to exemplary central proxy system 110a 
of the present invention, which is discussed in detail with 
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reference to FIGURE 2, substitute Identifiers may be 
suitably indirectly provided by central proxy system 
11 Oa to sender site 1 1 0g (recall that substitute identifiers 
allow user site 105a to browse server site llOg anony- 
mously). One or more site-specific substitute identifiers 
are suitably provided or constructed from data specific 
to user 1 05a either by user 1 05a or central proxy system 
110a. Central proxy system 110a Includes a plurality of 
executable routines - a first routine processes site-spe- 
cific substitute identifiers constructed from data specific 
to user 105a (site-specific substitute identifiers may be 
suitably constructed by a central proxy site 110a, such 
as by a routine associated with central proxy system 
110a); a second routine transmits the substitute Identi- 
fiers to server site llOg (possibly via a plurality of inter- 
mediate user and sen/er sites 105, 110) and thereafter 
retransmits browsing commands received from user site 
105a to sen/er site llOg; and a third routine removes 
(and possibly substitutes) portions of the browsing com- 
mands that would identity user site 105a to server site 
llOg (and the plurality of intermediate user and sen/er 
sites 105. 110). The term 'routine," as used herein, is 
construed broadly to not only include conventional 
meanings such as program, procedure, object, task, 
subroutine, function, algorithm, instruction set and the 
like, but also sequences of instructions, as well as func- 
tionally equivalent firmware and hardware Implementa- 
tions. 

Alternatively, according to an exemplary peripheral 
proxy system (generally designated 1 20) of the present 
Invention, which is discussed in detail with reference to 
FIGURE 5, that is designed for use with network 100 
again having a server site llOg capable of being 
browsed by a user site 105a based on substitute iden- 
tifiers received into sen/er site llOg and that are per- 
sonal to user site 1 05a. Exemplary peripheral proxy sys- 
tem 120 Includes first and second executable routines. 
The first routine, which may advantageously reside in 
user site 105a or, alternatively, in central proxy system 
110a, constructs a particular substitute identifier from 
data particular to user site 105a. The second routine, 
whk^h may also advantageously reside In user site 105a 
or, partially, in user site 105a and central proxy system 
1 1 0a. transmits the particular substitute identifier to cen- 
tral proxy system 110a. Central proxy system 110a then 
retransmits the particular substitute identifier to server 
site llOg and thereafter communrcates {e.g., transmits, 
receives, etc.) information {e.g., browsing commands, 
data, etc.) between user site 105a to sen/er site llOg. 

According to the illustrated embodiment, peripheral 
proxy system 1 20 differs from central proxy system 1 1 0a 
by the location of execution of the first and second rou- 
tines. In the illustrated central proxy embodiment, all 
routines are executed by central proxy system 110a, 
whbh means that all users must send user specific in- 
fomnation to central proxy system 110a. In the illustrated 
peripheral proxy system 120, the first and second rou- 
tines may be executed in a proxy subsystem associated 



with user site 105a. In one advantageous embodiment, 
user system 105a's user specific information {e.g., user 
identification, passwords, e-mail addresses, telephone 
numbers, credit card numbers, postal address, etc.) re- 
s main local, which will typically be more secure than cen- 
tral proxy system 110a. 

As set forth hereinabove, an ISP, such as NET- 
COM®, or a networking sen/ice, such as AMERICA ON- 
LINE® or COMPUSERVE®, can advantageously em- 
10 ploy either exemplary proxy system (central or periph- 
eral) to provide anonymous communication (transmis- 
sion, reception, retransmission, etc) of browsing (e.g., 
accessing, selection, reading, etc.) commands between 
user sites and sen/er sites. 

>5 An important aspect of the above-identified embod- 
iments is the use of site-specific substitute identifiers to 
eliminate the need for a user to have to "invent" a new 
user name and password for each server site which re- 
quires the establishment of an account {e.g., the NEW 

20 YORK TIMES, the WALL STREET JOURNAL, the 
NEWSPAGE® and ESPN® sites). The illustrated em- 
bodiment generates secure substitute identifiers {e.g., 
alias user names, passwords, a-mail addresses, postal 
addresses, credit card numbers, etc.) that are distinct 

25 and secure for the user. The user provides one or more 
character strings (which may be random) once, which 
may advantageously be at the beginning of a proxy sys- 
tem session. The proxy system uses the same to gen- 
erate one or more secure site-specific substitute identl- 

30 fiers for the user - thereby freeing the user from the bur- 
den of inventing new and unique klentiflers for each 
server site. Moreover, the user no longer has to type 
such secure identifiers every time the user returns to a 
particular server site requiring an account; instead the 

3S proxy system provides the appropriate secure identifiers 
automatically. In an advantageous embodiment to be 
described, the proxy system filters other identifying In- 
formation {e.g., HTTP headers, etc.) sent by user site 
105a while browsing sen/er sites, it is important to keep 

40 in mind that sen/er sites cannot typkially distinguish be- 
tween information supplied by proxy system 110a and 
Information supplied by user site 105a -<:entral proxy 
system 110a being transparent to can/er sites. 

In one embodiment, the substitute identifiers are 

4S transmitted on demand from sen/ers, without any inter- 
vention from the user. This process automates the re- 
sponse to a 'basic authentication request.' which is a 
conmon procedure used by sen/ers to Identify users on 
the World Wide Web. In this way, the user is not bur- 

50 dened by this activity. 

According to the illustrated embodiment, to produce 
substitute Identifiers the proxy system may suitably 
maintain secret information (secret to at least one sen/- 
er-site) in the form of user definable character strings. 

ss These character strings may be user defined and may 
be maintained in some conventional manner, such as 
storing the same to memory associated with the proxy 
system, or, advantageously, a function (described here- 
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inatter) may be used to produce the substitute identifi- 
ers, at least \n part, in association with the secret Infor- 
mation. According to one approach, the proxy system 
maintains a conventional data structure to maintain the 
same, such as a database, data repository, an array, s 
etc., or even an alias table, that may be used to map 
user information to their substitute, or alias, identifiers. 

According to one advantageous embodiment, the 
user delivers its own secret (user definable character 
string) at the beginning of each session, which is used io 
by the proxy system to generate, directly or Indirectly, 
the substitute identifiers for the session. This option has 
the advantage that a user has the flexibility to choose 
different proxies at different times and there is no per- 
manent secret infornrvatbn stored on the proxy system, is 
In another related embodiment, the data comprises at 
least two secret user definable character strings, where- 
in the first routine processes substitute identifiers con- 
structed in part from the at least two secret user defin- 
able character strings. Of course, altemate suitable ap- 20 
proaches may be used to accomplish the purpose of 
providing anonymous personalized web browsing ac- 
cording to the present Invention. 

Turning now to FIGURE 2, Illustrated is a block di- 
agram of an exemplary sub-network (generally desig- 2S 
nated 200) of distributed network 100, wherein sub-net- 
work 200 includes user site 105a, central proxy system 
110a and server site llOg (shown among a plurality of 
other illustrative server sites 1 1 0 of Internet 1 1 5) accord- 
ing to the principles of the present inventran. so 

For purposes of illustration, assume that user site 
1 05a issues a command to access server site 1 1 0g (the 
NEW YORK TRIBUNE web-site ("N YT")). Such access 
would be via central proxy system (server site) 110a, 
which ensures that user specific data concerning user 3S 
site 105a is not communbated over the remainder of 
Internet 115- there may be HTTP header fields, for ex- 
ample, that Include data about user site 105a that cen- 
tral proxy system 1 1 0a filters. 

Exemplary central proxy system 110a advanta- 40 
geously executes on a sen/er site that is not associable 
with user site 1 05a by other sites over Internet 11 5. Ac- 
cording to an advantageous embodiment, central proxy 
system 110a may be suitably distant, both physically 
and logically, from user site 1 05a - user site 1 05a does 4S 
not access server-sites directly because the server- 
sites can determine both physically and togically the In- 
ternet Protocol (IP-) - address of the machine that 
made the request. 

Accordlngtotheexemplary embodiment, if user site so 
1 05a*s command to access N YT 1 1 0g is user site 1 05a's 
first request of the current session, central proxy system 
110a will recognize the same, and display its own 
HTML-document, possibly on user site lOSa's browser. 

Turning momentarily to FIGURE 3, illustrated is an ss 
exemplary fullscreen window of a conventional browser 
300 ("NETSCAPE®") displaying an inlaid interface 305 
("JANUS^M') of central proxy system 1 1 0a according to 



the principles of the present invention. Exemplary inter- 
face 305 prompts a user of site 105a to enter user de- 
finable character strings, which according to the illus- 
trated embodiment includes identification ("ID") data 
and secret ("S") data supplied by the user Each user 
initially supplies a user ID {e.g., e-mail address) and a 
user S to allow one or more substitute identifiers to be 
chosen or constructed (site-specific substitute identifi- 
ers are suitably constructed from data specific to user 
105a and a particular server site which user 105a in- 
tends to browse). Alternatively, other or further data sup- 
plied by the user may be appropriate in some applica- 
tions {e.g. , credit card number, post office address, han- 
dle, etc.). 

According to the advantageous embodiment, sub- 
stitute identifiers may be constructed (generated) using 
a suitable function that includes the features of anonym- 
ity consistency, collision resistance and uniqueness, 
protection from creation of dossiers, and single secret 
and acceptability. Concerning anonymity, the identity of 
the user should be kept secret; that Is, a server site, or 
a coalition of sites, cannot determine the true identity of 
the user from its substitute identification. Concerning 
consistency, for each server-site, each user should be 
provided with some substitute Identifiers allowing the 
server site to recognize the user given the same, there- 
by enabling the server site to personalize the user's ac- 
cess and the user can thus be "registered" at the server 
site. 

With respect to collision resistance and unique- 
ness, given a user's identity and a server site, a third 
party should not find a different user identity which re- 
sults in the same alias (impersonation) for that server 
site. As to protection from creation of dossiers, the user 
is likely to be assigned a distinct alias (substitute iden- 
tifier) for distinct sender sites, so that a coalition of sites 
is unable to learn a user's habits and build a user profile 
(dossier) based on the set of sites accessed by the user. 
Lastly, single secret (user definable character string) 
and acceptability provkJes. given the user's Identity and 
a single secret, automatic generation of secure, distinct 
aliases (substitute identifier) as needed for each seiver- 
site, transparent to the user - from the user's perspec- 
tive, the user definable character string is equivalent to 
a universal password for a collection of server-sites. 

According to this embodiment, a user ID is "corrupt" 
(not secret) If an adversary (one or more server sites 
desirous of identifying the user), E, has been able to 
read the user's secret, S. Alternatively, a user ID is 'par- 
tially opened" (not fully secure) with respect to a partic- 
ular server site, iv, if E has been able to read the alias 
password; a user ID is "opened" (not secure) with re- 
spect to IV, if it is partially opened and E has been able 
to relate the alias password together with the alias user 
name to the user ID. Assuming that the function. T(), is 
defined as follows, Tluser ID, web-site ("w"). S) = ^sub- 
stitute username, passwords;, hence, T(id, w, S) = (Uw, 
Pw): and Tu(id,w,S) = Uwar\6 Tp(id,w,S) = Pw, 
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Tu (id, S) = Uw= h(enc(kM f(s^,w))) 

and 

Tp(id,w,S)- Pw= h(enc(kid, f(s2,w))), 

wherein 

id denotes user site lOSa's ID {e.g., e-mail 

address); 

w denotes server site llOg's domain 

name; 

// denotes the logical function of concate- 

nation; 

S denotes W/s^/s^, a user site 1 05a defin- 

able character string; 

xor denotes the Boolean function of exclu- 

sive or, 

f(l(,x) denotes a suitably arranged function for 

generating pseudo-random values, and 
may be selected from a group of func- 
tions, such as des(l(,h(x),x); 

enc(l(,x,r) denotes r//(f(l(j)xorx): 

hQ denotes a collision-resistant hash func- 

tion, such as MD5; and 

des(l(J,x) denotes DES encryption In cipher block 
chaining ("CBC") mode, which are 
known, of information x using key /rand 
an initialization vector /: 

Both Tu() and Tp() may suitably truncate the result of 
the hashing function, h(), to fit the longest allowed user 
name or password for the particular server site. 

Relating this function. T(), to the above-kjentified 
and described features yiekjs the following: 

1. Ecan only guess at the kientity. ID. of a user 
which is only partially opened and uncorrupted. 

2. T() is a deterministic functkwi and E can only 
^uess at the alias-password of a user which is un- 
opened and uncorrupted. 

3. Given ivand an uncorrupted and unopened user 
ID, E can only guess at the ID and S. 

4. For an uncorrupted user ID and T(id,w,S) does 
not giveto Einfomnation about T|f/ctw',s;forany w* 
not equal to w. 

5. The range of T(kJ,w,S) is such that it is accepted 
by server sites as a valid username and password 
- implying a limited length string of printable char- 
acters. 

Those skilled in the pertinent art will understand that al- 
ternate suitable functions may replace or be used in as- 
sociation with the foregoing according to the principles 
of the present Invention. 

Use of the foregoing exemplary substitute identifier 



constructing function, and for that matter, any other suit- 
ably arranged function for constructing substitute iden- 
tifiers according to the present inventk^n, operates to 
foster the above-identified features of anonymyzed and 
s personalized browsing. The present invention provides 
the ability to anonymously visit a server site a first time 
via site-specific substitute identifiers, to interact with the 
server site as a functk^n thereof, and to re-visit the serv- 
er site on subsequent occasions using the same site- 

10 specific substitute kJentlfiers, interacting with the sen/er 
site as a return customer ~ possibly receiving person- 
alized attention - as a function of the recognized sub- 
stitute Identifiers. Simply stated, the substitute identifi- 
ers are constructed consistently, and in advantageous 

^5 embodiments in a site-specific manner. 

In one embodiment of the present invention, the 
substitute kientiflers Include site-specific substitute user 
names and site-specific substitute user passwords. 
"Site-specific" means that the names and passwords 

20 vary from site to site, depending perhaps upon the ad- 
dress of each site. This may complicate the task of cre- 
ating a dossier relative to a given user. In a related em- 
bodiment, the first routine constructs site-specific sub- 
stitute e-mail addresses for user site 1 05a from the site- 

2S specific data. In an alternate advantageous embodi- 
ment, the first routine constructs the site-specific sub- 
stitute identifiers from addresses of the sen/er sites - of 
course, site-specific infonmatk)n other than the address 
of the site may be used to constmct the substitute kjen- 

30 tifiers. 

If this is the first contact of the user with central 
proxy system 1 1 0a, then the user may suitably generate 
a user defined character string (secret) at random and 
store the same locally. In one advantageous embodi- 
es ment. the first routine processes substitute identifiers 
that may be constructed by applying pseudo-random 
and hash functions {e.g., T() function set forth herein- 
above) to the data received from user site 1 05a - those 
skilled in the art are familiar with the structure and op- 
40 eration of pseudo-random and hash functions and their 
utility. The important aspect of this and related embod- 
iments Is that the present inventbn is adapted to take 
advantage of current and later-discovered functions to 
enhance anonymity and security 
45 Alternatively, if this is the first contact of a current 
session then the user may suitably enclose the stored 
user defined character string to central proxy system 
1 1 0a. Nonetheless, browser 300 sends interface 305 to- 
gether with a user's ID and other user definable charac- 
50 ter string to central proxy system 110a. Central proxy 
system 110a receives this information and may use the 
same for the rest of the session. 

In one advantageous embodiment, the first routine 
receives or generates session tags that are added to the 
ss browsing commands, central proxy site 1 1 0a employing 
the session tags to associate the substitute identifiers 
with each of the browsing commands - the session 
tags, while not necessary to the present invention, pro- 
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vide one manner that allows user sites 105a to supply 
their data only once, usually at the beginning of each 
session. In a related advantageous embodiment, cen- 
tral proxy site 11 Oa includes a data store that is capable 
of containing session information specific to user sites s 
105a and accessible by server sites llOg. 

In one advantageous embodiment, the second rou- 
tine described above, which may be local to the central 
proxy system 110a, transmits the substitute identifiers 
to sen/er site 1 1 0g. In a further advantageous embodi- io 
ment, the second routine transmits the substitute iden- 
tifiers to sen/er site 110g based on alphanumeric codes 
supplied in fields of web-pages 305 by the users. The 
alphanumeric codes prompt the second routine as to 
how and where to locate the substitute identifiers, re- is 
moving the users from actually having to provide the 
substitute Identifiers directly Of course, the alphanu- 
meric codes may be supplied in a different form. In a 
related, more specific embodiment, the users manually 
place the alphanumeric codes in the fields of web-pages 20 
305. Of course, the present invention encompasses In- 
telligent parsing of the fields of web pages 305 to deter- 
mine automatically how and where the alphanumeric 
codes should be located. Those skilled in the art are fa- 
miliar with the Internet in general, the World Wide Web 2S 
in particular and the way in which the structure of the 
World Wide Web promotes "browsing." The present in- 
vention finds apparent utility in conjunction with the In- 
temet and the Wortd Wide Web, however, those skilled 
In the art will readily understand that the present inven- 30 
tion has advantageous applicatk)n outside of the Inter- 
net as well in any suitably arranged computer, commu- 
nications, multimedia or like network configuration. 

Nonetheless, after centra! proxy system 110a ob- 
tains the required information about the user, the above- 3S 
described third routine removes portions of the browsing 
commands that woukJ identify user site 105a to sen/er 
site 1 1 0g, and forwards user site 1 05a'8 original request 
for access to NYT-site 11 Og (e.g., using an HTTP get- 
request) " thereby selectively excluding from the re- 40 
quest header-fields or the like that may Identify the user. 

If this is the user's first visit to NYT-site llOg, then 
It may suitably provide the user with an electronic form 
prompting, for example, for a user name, a password 
and an e-mail address In order to establish an account. 4S 
Turning momentarily to FIGURE 4, illustrated is exem- 
plary full screen window of conventional NETSCAPE® 
browser 300 displaying an Inlaid interface 400 ("THE 
NEW YORK TRIBUNE") of server site llOg according 
to the principles of the present invention, 50 

Now, instead of having to provide a unique user 
name and a secret password, the user may suitably pro- 
vide these fields with simple escape strings (e.g., "<uu- 
uu>" and ■<pppp>"). More specifically the alphanumeric 
codes above-described may be suitably arranged into ss 
such escape sequences - those skilled in the art are 
familiar with escape sequences. These strings are rec- 
ogn ized by central proxy site 1 1 0a which uses user site 



105a's user name and secret (user definable character 
string) along with the domain-name of the NEW YORK 
TRIBUNE and computes substitute Identifiers (e.g., ali- 
as user name, u3, and alias password, p3, in FIGURE 
2, etc.), such as by function T(ID, secret, domain-name). 
The site-specific substitute Identifiers may be sent to a 
particular server site by central proxy system 110a using 
the same mechanism that the user would submit input 
to the particular sen/er site. Inotherwords, proxy system 
110a receives information communications, such as 
browsing commands, from user site 105a Intended for 
sen/er site 1 1 0g, and retransmits the same to server site 
1 1 0g " central proxy system 1 1 0a functioning as a trans- 
parent conduit for anonymizing and, through consistent 
generation of site-specific substitute identifiers, person- 
alizing sen/er site browsing. 

On a subsequent visit to NYT-site llOg. which 'will 
require that user site 105a authenticate itself (response 
to the first get-request fonvarded to NYT-site llOg by 
central proxy system 110a), central proxy system 110a 
may be suitably operative to automatically recompute 
u3 and p3 and reply by sending these values back to 
NYT-site 110g (re-sending the get-request). User site 
105a is thereby freed from the burden of remembering 
the user name and password of its NYT-site llOg ac- 
count. To summarize, the protocol, which may be suita- 
bly executed without involving user site 105a, includes: 
(1 ) a step of NYT-site server 1 lOg requesting an authen- 
tlcatbn from central proxy site 110a by falling the first 
get request; (2) central proxy site 110a recomputing the 
substitute identifiers (e.g., (alias-user name, alias-pass- 
word) = T(ID, secret, domain-name), or like); (3) cen- 
tral proxy site 110a replying by re-sending the get with 
the same substitute identifiers. 

The substitute Identifiers are consistent In the sense 
that the substitute Identifiers are presented on subse- 
quent visits to the same sen/er site by user 105a. Con- 
sistent substitute identifiers allow sen/er sites to recog- 
nize returning users and provide personalized sen/Ice 
to them. In one embodiment, the second routine trans- 
mits the substitute Identifiers on demand from sen/ers, 
without any intervention from user 105a. This process 
automates the response to a "basic authentication re- 
quest," which is a common procedure used by sen/ers 
to identify users 105a on the World Wide Web. In this 
way, user 105a is not burdened by this activity In this 
embodiment, the second routine may have to re-trans- 
mit the original user request abng with the substitute 
identifier to the sen/er. 

It should be noted that many sen/ers require a valid 
e-mail address for creating an account - users cannot 
use their true e-mail address for this purpose since it 
uniquely identifies them. The proxy system of the 
present Invention may suitably solve this problem by 
creating an alias e-mail address for user site 105a and 
store e-mail In an electronic mailbox. In one advanta- 
geous embodiment, central proxy system 110a includes 
a data store capable of containing e-mail destined for 
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the users, thereby preventing sen/er sites from contact- 
ing users directly. Contrary to prior art anonymous re- 
mailers, the present embodiment is not required to rely 
on having to store any translatbn tables (which may be 
large and vulnerable) from alias to true user Identifiers s 
in central proxy system 1 1 0a. This embodiment is inher- 
ently securer than prior art approaches as central proxy 
system 110a is not required to maintain and protect a 
translation table and cannot be forced to reveal the con- 
tents of any such table to a third party io 

In an alternate advantageous embodiment, central 
proxy system 105a further includes a data store capable 
of containing e-mailboxes for the users and specific to 
the server sites. According to this embodiment, each us- 
er has a mailbox for each site that has generated mail is 
destined for the user Rather than compromising secu- 
rity by allowing automatic remailing to the user, the 
present embodiment may store e-mail for explicit re- 
trieval by each user. 

For each server, it may be advantageous for users 20 
to have a separate e-mail box, possibly identified by us- 
er-substitute Identifiers. This approach may allow for 
suitable disposal of e-mail messages received from the 
third-parties (e.g., 'junk e-mail") as well as the option of 
selective disposal of e-mail messages. 2s 

In one advantageous embodiment, each of e-mail- 
boxes has a key associated therewith, the key being a 
functbn of the data and an index number The use of 
keys with e-mailboxes is known. In another advanta- 
geous embodiment, central proxy system 110a further 30 
comprises a computer-executable routine that, given 
the substitute identifiers, collects e-mail destined for the 
users and contained within a plurality of site-specific e- 
mailboxes. This embodiment may suitably employ a 
mail-collecting routine that automatically locates user 3S 
site 105a's varbus mailboxes and retrieves the mail 
therefrom once the user has supplied the appropriate 
data. 

According to one advantageous embodiment, cen- 
tral proxy system 1 1 0a Includes f unctfonality necessary 
to support electronic payment, the users employ elec- 
tronk: payment information to engage in anonymous 
commerce with the sen/er sites. To facilitate the same, 
central proxy system 110a may include a data store ca- 
pable of containing such electronic payment informa- 4S 
tion. Further, substitute identifiers may be constructed, 
at least in part, using credit/debit card numbers, bank 
branch or account numbers, postal addresses, tele- 
phone numbers, tax identification numbers, social se- 
curity numbers or the like. Various methods for achiev- so 
ing anonymous commerce are known. 

By way of further example, an ever increasing 
number of sites require a valid credit card number as 
part of establishing an account, so that such sites may 
charge the user for their sen/ices (e.g., WALL STREET ss 
JOURNAL®, ESPN®, etc.). While the above-described 
proxy system provides substitute identifiers to free users 
from remembering these items and by provkJing a guard 



on (involuntary) data flowing to the web-site, It may not 
provide complete anonymity to a user who has provided 
a credit card number to a site. One solution, described 
briefly above, requires central proxy system 1 1 0a to pro- 
vide its own valid credit card number to the requesting 
site and then collect nnoney from its users. If central 
proxy system 105a is incorporated into an Internet pro- 
vider, for example, such as AMERICA ONLINE®, then 
this relationship may already exist. 

Alternatively, central proxy system 110a may be 
known and trusted by other sites, thereby allowing cen- 
tral proxy system 110a to generate an alias credit card 
number and expiration date, and then to authenticate 
this data and send It to a requesting site. The site can 
then check that this number Indeed originates from cen- 
tral proxy system 110a and hence accepts the same as 
valid, with the understanding that it can collect the mon- 
ey from central proxy system 110a. There no tonger is 
a need to send a Veal" credit card number between cen- 
tral proxy system 110a and the sites. 

It is important to realize that the various features 
and aspects of the embodiments above-described may 
also be suitably implemented in accordance with the pe- 
ripheral proxy system described with reference to FIG- 
URE 1. More particularly turning momentarily to FIG- 
URE 5, there is illustrated a block diagram of an exem- 
plary sub-network (generally designated 500) of the dis- 
tributed networtc of FIGURE 1 showing a peripheral 
proxy system 120 that includes each of user site 105a, 
central proxy system 110a and NYT-site llOg (shown 
among a plurality of other illustrative sen/er sites 110 of 
Internet 115) according to the principles of the present 
invention. 

Peripheral proxy system 120, as set forth above, in- 
cludes first and second executable routines. The first 
routine, which advantageously resides in user site 1 05a. 
constructs substitute identifiers from data particular to 
user site 105a. The second routine, which also illustra- 
tively resides in user site 105a. transmits the substitute 
identifiers to central proxy system 110a. Central proxy 
system 110a then retransmits the substitute kientifiers 
to server site "MOg and thereafter communicates (e.g., 
transmits, receives, etc.) information {e.g., browsing 
commands, data, etc.) between user site 105a to sen/er 
site llOg. This second configuration is particulariy ad- 
vantageous when users may not trust central proxy sys- 
tem 110a or the communication lines therebetween, and 
want to keep user kJentifications and other secret infor- 
mation secure. 

A local proxy system 510 may be used to maintain 
the same, and may use the user's identificatfon and oth- 
er information to compute the substitute identifiers. Lo- 
cal proxy system 51 Ocommunicates with a central proxy 
system 110a, which may be used tofonvard communi- 
cation to sen/ers and handle e-mail. In one embodiment, 
central proxy system 110a communicates with compu- 
ter-executable local routines associated with the users, 
the local routines constructing the site-specific substi- 
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tute identifiers from data specific to the users. Again, 
central proxy system 110a may rely on distributed rou- 
tines, local to each user, that generate the substitute 
identifiers and transmit the same to central proxy system 
110a. 

Turning now to FIGURE 6, illustrated is a block di- 
agram of an exemplary sub-network (generally desig- 
nated 600) of the distributed network 1 00 including each 
of user site 105a. central proxy system 110a and a plu- 
rality of illustrative sender sites 110b, 110c, and llOg ac- 
cording to an exemplary marker proxy embodiment of 
the present invention. As described above, the central 
proxy system of the present inventbn may be employed 
in at least two configurations, namely, a central proxy 
configuration (FIGURE 2) or a peripheral proxy config- 
uration (FIGURE 5). 

I n the central proxy configuration, central proxy sys- 
tem 110a computes substitute identifiers. An implemen- 
tation of this configuration may require user site 1 05a to 
provide one or more user definable character strings (a 
g., user identification, password and other secret infor- 
mation) once, and central proxy system 110a will there- 
after generate the substitute identifiers as needed. Cen- 
tral proxy system 1 1 0a may associate the user definable 
character strings with a series of HTTP requests gener- 
ated by the same user site 1 05a -- the central proxy sys- 
tem 110a may associate each request with a session, 
that contains all communication between a specific user 
site 105a and the central proxy system 110a. 

The HTTP protocol however does not generally di- 
rectly support sessions or relatbnships between re- 
quests. More particulariy, each HTTP request may be 
sent a new socket connectk>n, and there is no required 
HTTP header fiekJ that can link successive requests 
from the same user. 

It should be noted that the session identlficatksn is 
typically not necessary In the peripheral proxy configu- 
ration since central proxy system 110a may forward 
communications without any computation. In a typk^al 
embodiment, peripheral proxy system 120 retransmits 
browsing commands received from user site 105a to 
central proxy system 1 1 0a, which then retransmits such 
commands to server site llOg. According to one em- 
bodiment, peripheral proxy system 120 removes and. 
possibly, substitutes portions of the browsing com- 
mands that would kJentify user site 105a to server site 
llOg. 

In one advantageous embodiment user site 105a 
runs a mariner program 605 locally Marker program 605 
operates to tag user site 105a's requests with a session 
tag. t Central proxy system 1 1 0a uses this tag to identify 
requests belonging to a particular one of a group of us- 
ers. Mariner program 605 may be implemented to store 
user site 105a's session tag and add this tag to all re- 
quests, and central proxy system 1 1 0a removes the ses- 
sion tag before fonvardlng the request to some server 
site. The session tag should be unique, as no two users 
should have the same tag. 



It should be noted that NETSCAPE® uses 'cookies, 
" which are a mechanism for storing and retrieving long 
term session Information (the use of "cookies' concep- 
tually is known). The cookies are generated by the 
s browsed servers and are associated with a specific do- 
main name. Browsers 300 submit the cookies associat- 
ed with a specific domain name whenever the user re- 
visits that domain. Sen/ers typically only generate cook- 
ies associated with their domain. Cookies provide an 

10 easy mechanism to keep session Infomiation, such as 
the contents of a "shopping cart," account name, pass- 
word, event counters, user preferences, etc. 

Some companies, use cookies extensively to track 
users and their habits. Since the proxy systems of the 

IS present invention present substitute identifiers to 
browsed servers, the senders cannot learn true user 
identities. Thus all of the information that the server may 
store in its cookie relates to some "alias persona," and 
not to the true user. Whenever the user returns to the 

20 same server. It will present the same substitute Wentifl- 
ers, and may also submit the cookie that the sender gen- 
erated earlier for this alias persona. 

It is apparent from above, that the present invention 
provides, for use with a network having user sites and 

25 server sites, wherein the server sites are capable of be- 
ing browsed by the user sites based on identifiers re- 
ceived into the sender sites and personal to the user 
sites, both a central and a peripheral proxy system for 
providing consistent substitute identifiers to the sen/er 

30 sites that allow the user sites to browse the sender sites 
in an anonymous and personal fashion via the proxy 
system. 

An exemplary central proxy system includes: (1 ) an 
executable first routine that processes site-specific sub- 
as stitute kJentifiers constructed from data specific to the 
user sites, (2) an executable second routine that trans- 
mits the substitute Identifiers to the sender sites and 
thereafter retransmits browsing commands received 
from the user sites to the sender sites and (3) an execut- 
40 able third routine that removes (and possibly substi- 
tutes) portions of the browsing commands that would 
klentify the user sites to the server sites. 

An exemplary peripheral proxy system Includes: (1 ) 
an executable first routine that constructs a particular 
45 substitute Identifier from data received from a particular 
user site and (2) an executable second routine that 
transmits the particular substitute identifier to a central 
proxy system, the central proxy system then retransmit- 
ting the particular substitute identifier to the server site 
50 and thereafter retransmitting browsing commands re- 
ceived from the particular user site to the server site. 

Although the present Invention has been described 
in detail, those skilled in the art should understand that 
they can make various changes, substitutions and alter- 
55 ations herein without departing from the scope of the 
invention in its broadest fomri. More particularly, it should 
be apparent to those skilled in the pertinent art that the 
above-described routines are software-based and exe- 
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cutable by a suitable conventional computer system/ 
network. Alternate embodiments of the present inven- 
tion may also be suitably implemented, at least in part, 
in firmware or hardware, or some suitable combination 
of at least two of the three. Such firmware-or hardware s 
embodiments may include multi, parallel and distributed 
processing environments or configurations, as well as 
alternate programmable logic devices, such as pro- 
grammable array logic ("PALs") and programmable log- 
ic arrays ("PLAs"), digital signal processors ("DSPs"), io 
field programmable gate arrays ("FPGAs"), application 
specific integrated circuits (■ ASICs"), large scale inte- 
grated circuits ("LSIs"), very large scale integrated cir- 
cuits ("VLSIs") or the like - to form the varfous types of 
modules, circuitry, controllers, routines and systems de- 
scribed and claimed herein. 

Conventional computer system architecture is more 
fully discussed in The Indispensable PC Hardware 
Book, by Hans-Peter Messmer, Addison Wesley (2nd 
ed. 1 995) and Computer Organization and Architecture, 20 
by William Stallings. MacMillan Publishing Co. (3rd ed. 
1993); conventwnal computer, or communications, net- 
work design is more fully discussed in Data Network De- 
sign, by Darren L Spohn, McGraw-Hill, Inc. (1993); and 
conventional data communications Is more fully dis- 2S 
cussed in Voice and Data Communicatbns Handbook, 
by Bud Bates and Donald Gregory, McGraw-Hill, Inc. 
(1 996), Data CommunKathns Principles, by R. D. Gitlin, 
J. F. Hayes and S. B. Weinstein, Plenum Press (1992) 
and 77?© Irwin Handbook of Telecommunications, by 30 
James Harry Green, Irwin Professksnal Publishing (2nd 
ed. 1992). 



Claims 



3S 



1 . A central proxy system for coupling to a network and 
for allowing users to browse sen/er sites on said 
network anonymously via said central proxy sys- 
tem, said central proxy system comprising: 40 

a computer-executable first roatine that proc- 
esses site-specific substitute identifiers con- 
structed from data specific to said users; 
a computer-executable second routine that 45 
transmits said substitute identifiers to said serv- 
er sites and thereafter retransmits browsing 
commands received from said users to said 
server sites; and 

a computer-executable third routine that re- so 
nrioves portions of said browsing commands 
that would identify said users to said sender 
sites. 

2. The central proxy system as recited in Claim 1 ^5 
wherein said data comprises identlfrcatlon data and 

a user definable character string supplied by said 
users. 



3. The central proxy system as recited in Claim 1 
wherein said site-specific substitute identifiers com- 
prise site-specific substitute user names and site- 
specific substitute user passwords. 

4. The central proxy system as recited in Claim 1 
wherein said first routine constructs site-specific 
substitute electronic mail addresses for said users 
from said data. 

5. The central proxy system as recited in Claim 1 
wherein said first routine constructs said site-spe- 
cific substitute identifiers from addresses of said 
sender sites. 

6. The central proxy system as recited in Claim 1 
wherein said server sites are World Wide Web sites 
capable of presenting web pages to said users, said 
second routine transmitting said substitute identifi- 
ers to said sewer sites under directton of said users. 

7. The central proxy system as recited in Claim 1 
wherein said second routine transmits said substi- 
tute identifiers to said sen/er sites based on alpha- 
numerk: codes supplied in web page fields by said 
users. 

8. The central proxy system as recited in Claim 7 
wherein said alphanumeric codes are arranged in 
escape sequences. 

9. The central proxy system as recited in Claim 7 
wherein sakj users manually place said alphanu- 
meric codes in sakJ web page fields. 

10. The central proxy system as recited in Claim 9 
wherein said central proxy system communicates 
with computer-executable local routines associated 
with said users. sakJ local routines constructing sakJ 
site-specific substitute kientiflers from data specific 
to said users. 

11. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronk; mail destined for said users. 

12. The central proxy system as recited in Claim 1 
wherein said first routine processes substitute kJen- 
tifiers constructed by applying pseudo-random and 
hash functions to said data received from said us- 
ers. 

13. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic mailboxes for said users and specific to 
said sen/er sites. 

14. The central proxy system as recited in Claim 13 
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Wherein each of said electronic maillx)xes has a key 
associated therewith, said key being a function of 
said data and an index number. 

15. The central proxy system as recited in Claim 1 fur- 
ther comprising a computer-executable routine 
that, given said substitute identifiers, collects elec- 
tronic mail destined for said users and contained 
within a plurality of site-specific electronic mailbox- 
es. 

16. The central proxy system as recited in Claim 1 
wherein said first routine receives session tags add- 
ed to said browsing commands, said central proxy 
system employing said session tags to associate 
said substitute identifiers with each of said browsing 
commands. 

17. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
session information specific to saki users and ac- 
cessible by said server sites. 

18. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic payment information, said users employ- 
ing said electronic payment Information to engage 
In anonymous commerce with said server sites. 

19. The central proxy system as recited in Claim 1 fur- 
ther comprising an initializing routine that con- 
structs said site-specific substitute identifiers from 
data specific to saki users and communicates said 
srte-specific substitute klentifiers to said first rou- 
tine. 

20. A peripheral proxy system for coupling to a network 
and for allowing at least one user to browse a sender 
site on said network anonymously via a central 
proxy system, said peripheral proxy system com- 
prising: 

a computer-executable first routine that con- 
structs a particular substitute identifier from da- 
ta received from a particular user; and 
a computer-executable second routine that 
transmits said particular substitute identifier to 
said central proxy system, said central proxy 
system retransmitting said particular substitute 
identifier to said server site and thereafter re- 
transmitting browsing commands received 
from sakj particular user to said sen/er site. 

21. The peripheral proxy system as recited In Claim 20 
wherein said data comprises identification data and 
a user definable character string supplied by sakJ 
particular user. 



22. The peripheral proxy system as recited in Claim 20 
wherein said particular substitute identifier compris- 
es a particular substitute user name and a particular 
substitute user password. 

5 

23. The peripheral proxy system as recited in Claim 20 
wherein saki first routine constructs a particular 
substitute electronic mail address for said particular 
user from said data. 

10 

24. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs said particular 
substitute identifier from an address of said seo/er 
site, said particular substitute identifier therefore 
being specific to sakI sender site. 

25. The peripheral proxy system as recited in Claim 20 
wherein said server site is a World Wide Web site 
capable of presenting at least one web page to said 

20 users, said central proxy system transmitting said 
particular substitute identifier to said server site un- 
der direction of sakJ particular user. 

26. The peripheral proxy system as recited in Claim 20 
25 wherein said central proxy system said particular 

substitute identifier to said server site based on al- 
phanumeric codes supplied in web page fields by 
said user. 

30 27. The peripheral proxy system as recited in Claim 26 
wherein said alphanumeric codes are arranged In 
escape sequences. 

28. The peripheral proxy system as recited in Claim 20 
35 wherein said central proxy system further compris- 
es a computer-executable third routine that re- 
moves portions of sakJ browsing commands that 
would kientify said particular user to said server 
site. 

40 

29. The peripheral proxy system as recited in Claim 28 
wherein said first and second routines are execut- 
able on a computer system associated with said 
particular user and said central proxy system is a 

4S computer system having a networic address differ- 
ent from said computer system associated with sakJ 
particular user. 

30. The peripheral proxy system as recited In Claim 20 
50 wherein said central proxy system further compris- 
es a data store capable of containing electronic mail 
destined for said particular user. 



31. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs said particular 
substitute identifier by applying pseudo-random 
and hash functions to said data received from said 
particular user. 



2S 
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32. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing an electronic 
mailbox for said particular user and specific to said 
server site. s 

33. The peripheral proxy system as recited in Claim 32 
wherein said electronic mailbox has a key associ- 
ated therewith, said key being a function of said da- 
ta and an index number. io 

34. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable routine that, given said 
particular substitute identifier, collects electronic is 
mail destined for said particular user and contained 
within at least two electrons mailboxes. 

35. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 20 
es a computer-executable marker routine that adds 
session tags to sakd browsing commands, said 
proxy system employing said session tags to asso- 
ciate said particular substitute identifier with each 

of said browsing commands. 2S 

36. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing session infor- 
mation specific to said particular user and accessi- 30 
ble by said server site. 



37. The peripheral proxy system as recited In Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing electronic pay- 
ment informatbn, said particular user employing 
said electronic payment information to engage in 
anonymous commerce with said server site. 

38. A method for use with a network having a server 
site capable of being browsed by users and for al- 
lowing said users to browse said server site on said 
network anonymously via said proxy system, said 
method comprising the steps of: 

constructing a particular substitute identifier 
from data received from a particular user; 
transmitting said particular substitute identifier 
to said server site; and 

thereafter retransmitting browsing commands 
received from said particular user to saki server 
site. 

39. The method as recited in Claim 38 wherein said da- 
ta comprises identification data and a user defina- 
ble character string supplied by said particular user. 

40. The method as recited in Claim 38 wherein said par- 



ticular substitute identifier comprises a particular 
substitute user name and a particular substitute us- 
er password. 

41. The method as recited In Claim 38 further compris- 
ing the step of constructing a particular substitute 
electronic mail address for said particular user from 
said data. 

42. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of con- 
structing said particular substitute identifier from an 
address of said server site, said particular substitute 
Identifier therefore being specific to said sender site. 

43. The method as recited In Claim 38 wherein said 
senrer site Is a World Wide Web site capable of pre- 
senting at least one web page to said users, said 
method further comprising the step of transmitting 
said particular substitute identifier tosaid server site 
under direction of said particular user. 

44. The method as recited in Claim 38 wherein said 
step of transmitting comprises the step of transmit- 
ting said particular substitute identiflertosakJ sender 
site based on alphanumeric codes supplied In web 
page fields by said user. 

45. The method as recited in Claim 44 wherein said al- 
phanumeric codes are arranged in escape se- 
quences. 



46. The method as recited in Claim 38 further compris- 
ing the step of removing portions of said browsing 

3s commands that would identify said partk^ular user 
to said server site. 

47. The method as recited in Claim 46 wherein saki 
step of constructing is perfomied on a computer 

40 system associated with said particular user and 
said steps of transmitting and thereafter transmit- 
ting are performed on a computer system having a 
network address different from said computer sys- 
tem associated with said particular user. 

45 

48. The method as recited in Claim 38 further compris- 
ing the step of storing electronic mail destined for 
sakj particular user. 

so 49, The method as recited in Claim 38 wherein said 
step of constructing comprises the step of applying 
pseudo-random and hash functions to sakJ data re- 
ceived from said particular user. 

ss 50. The method as recited in Claim 38 further compris- 
ing the step of creating an electronk; mailbox for 
. saki partbular user and specific to said sender site. 
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51. The method as recited In Claim 50 wherein said 
electronic mailbox has a key associated therewith, 
said key being a function of sakJ data and an index 
number. 

5 

52. The method as recited in Claim 38 further compris- 
ing the step of collecting electronic mail destined for 
said particular user and contained within at least 
two electronic mailboxes given said partk:ular sub- 
stitute identifier io 

53. The method as recited in Claim 38 further compris- 
ing the step of adding session tags to said browsing 
commands, said proxy system employing said ses- 
sion tags to associate said particular substitute ib 
identifier with each of said browsing commands. 

54. The method as recited in Claim 38 further compris- 
ing the step of storing session information specific 

to said particular user and accessible by said server 20 
site. 

55. The method as recited in Claim 38 further compris- 
ing the step of storing electronic payment informa- 
tion, saki particular user employing said electronic 2S 
payment information to engage in anonymous com- 
merce with said server site. 
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Welcome to Janus! 



Janus is a system for personalized anonymous Web access. 

Janus generates consistent untraceable aliases for you from the 
information you provide in this page. Janus neither stores this 
mformation nor passes it to any server. Consciknlally, Janus does 
not authenticate you. You must provide the same information in future 
sessions to generate the same aliases. 

You will sec this form only once at the beginning of the session. You 
cannot change the input to Janus during the rest of your session, 
unless Janus detects that it fails to authenticate you: 

pie pair <user name. alias-secd> should be unique among all Janus users. You can use your 
E-mail address as your name to reduce chance of collision with other users. Janus will not pass 
your name to any ser\'er. Maximal size for user name and seeds is 1000 characters each. 

Enter your user name (use your E-mail address): 



Enter your secret must contain at least 8 charactcn): 



Veri^ your secret by typing it again: 



IsubmitI ItoctI 



Click has for more infonnation about Janus. 
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The New York Tribune 

Registration 

Welame to The New York Tribune on the Web. If vou're visiang us 
for the first time, please register now by filling out the fonn below, 
mere is currentiv no charge fcr U.S. residents to subscrilic to our 
site, but we are requiring r^istradon, which is a cn^tilne onhf 
process. ^ 

If you have already registered, continue to thehpirepag e. if 
you vc registered, but ait having problems entenn;the~site. 
consult our help section. 

Choose a Subscriber D for The Nev York Tribune on the 
Web: 



<Doao> 



Choose i password: 



I * tft«*« 



Himimum five characters 



Uimimum five characters 



Re-enter password for confirmation: 



Enter your e-mafl address; 
II<OQoa> 



Help 



Ml 
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